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1  Overview 


In  1994  personnel  from  Rome  Laboratory  (RL),  Kaman  Science  (KS),  Kestrel  Institute,  and 
the  Electric  Power  Research  Institute  (EPRI)  began  a  joint  project  to  develop  scheduling 
tools  for  power  plant  outage  activities.  This  report  describes  our  support  for  this  joint  effort. 
The  project  uses  KIDS  (Kestrel  Interactive  Development  System)  to  generate  schedulers  from 
formal  specifications  of  the  power  plant  domain  outage  activities. 


2  Technical  Approach 


The  Kestrel  Interactive  Development  System  (KIDS)  provides  automated  support  for  the 
development  of  correct  and  eflicient  programs  from  formal  specifications.  The  system  has 
components  for  performing  algorithm  design,  deductive  inference,  program  simplification, 
partial  evaluation,  finite  differencing  optimizations,  data  type  refinement,  compilation,  and 
other  development  operations.  KIDS  has  been  used  to  design  and  optimize  many  programs, 
including  a  variety  of  high-performance  schedulers  in  the  transportation  domain. 

Building  a  domain  theory  for  power  plant  maintenance  activities  is  the  most  time-consuming 
part  of  producing  useful  scheduling  tools.  It  requires  defining  sorts,  operations,  and  axioms 
that  capture  the  basic  concepts  of  the  domain  and  the  laws  for  reasoning  about  them. 
The  domain  theory  then  provides  the  vocabulary  for  writing  specifications  for  particular 
scheduling  problems.  Once  the  theory  and  problem  specifications  have  been  developed  (and 
this  is  usually  an  iterative  process),  KIDS  can  be  used  to  generate  executable  code  from 
the  specifiation.  We  have  built  over  a  hundred  theories  for  various  application  domains 
and  common  mathematical  and  data  structures.  We  have  used  KIDS  to  synthesize  many 
programs,  many  of  which  axe  comparable  or  better  than  manually  produced  programs. 

Kestrel  persoimel  assisted  in  the  following  aspects  of  the  project.  Details  may  be  fovmd  in 
the  attached  technical  report. 

•  Building  a  domain  theory  -  This  involved  defining  the  basic  concepts  of  the  domain, 
writing  a  formal  specification  of  the  outage  scheduling  problem,  providing  laws  for 
specific  terms  in  the  specification,  and  developing  a  global  search  theory  for  outage 
scheduling.  The  result  is  about  2000  lines  of  Refine  text. 

•  Deriving  propagation  constraints  for  safety  constraint  -  The  safety  constraints  are  key 
to  the  success  of  an  outage  scheduler.  It  turns  out  that  their  form  is  unusual  and 
required  a  generalization  of  our  previously  developed  methodology  for  inferring  prop¬ 
agation  constraints.  Drs.  Gomes  and  Smith  worked  out  various  versions  of  these 
constraints  during  the  project.  Many  hours  were  spent  carefully  working  out  mathe¬ 
matical  calculations  on  paper,  which  were  then  summarized  as  lemmas  in  the  domain 
theory. 
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•  Extending  the  constraint  propagation  code  generator  -  The  new  class  of  propagation 
constraints  arising  from  the  safety  constraint  required  extensions  to  the  constraint 
propagation  code  generator  which  were  performed  by  Dr.  Westfold. 

•  Developing  an  interface  for  the  ATOSS  system  -  Finally,  in  order  to  have  a  usable  sys¬ 
tem,  we  adapted  the  CLIM  interface  that  Kestrel  developed  for  KTS  (Kestrel  Trans¬ 
portation  Scheduler)  to  the  needs  of  outage  scheduling,  resulting  in  the  ATOSS  system 
that  was  demonstrated  at  the  Utility  workshop  in  December  1995. 


Under  separate  contracts  we  continue  to  develop  the  theory  and  implementation  techniques 
that  apply  to  the  kind  of  resources  and  constraints  that  arise  in  power  plant  outage  schedul¬ 
ing.  We  hope  to  continue  our  support  for  the  development  of  ATOSS. 
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Challenges  in  Deploying  Planning  and  Scheduling 

Systems: 

Outage  Management  of  Nuclear  Power  Plants 

Carla  P.  Gomes  Douglas  Smith  and  Stephen  Westfold 

Rome  Laboratory*  Kestrel  Institute 

525  Brooks  Rd.  3260  Hillview  Avenue 

Rome  Lab,  NY  13441-4505  Palo  Alto,  CA  94304 

gomes@  ai .  rl .  af .  mil  {  smith ,  westfold  }  @kest  rel .  edu 


Abstract 

We  address  the  challenges  of  deploying  AI  planning  and  scheduling  systems 
in  real  world  environments.  In  particular,  we  discuss  the  management  of  refuel¬ 
ing  outages  of  nuclear  power  plants,  a  domain  for  which  the  existence  of  good 
automatic  solutions  is  not  only  crucial  for  nuclear  safety  reasons  but  also  for  eco¬ 
nomic  reasons  —  the  cost  of  each  day  of  shutdown  is  in  the  order  of  $1,000,000. 
We  report  on  a  successful  project  for  transference  of  advanced  planning  and 
scheduling  technology  for  outage  management,  a  collaboration  between  Rome 
Laboratory,  the  Electrical  Power  Research  Institute  (EPRI),  Kaman  Science, 
and  Kestrel  Institute  as  part  of  DOD’s  dual-use  program. 


Our  current  system  handles  up  to  2,000  activities  and  was  completed  in  November  1995.  In 
December,  we  gave  a  demonstration  of  the  system  to  the  the  management  of  several  large 
utilities  (American  Electric  Power,  Pennsylvania  Power  &  Light,  GPU  Nuclear  Co.,  PECO, 
and  others).  The  demonstration  was  successful,  and  EPRI  will  use  the  system  to  build  the 
next  generation  of  outage  scheduling  tools  (referred  to  as  the  Advanced  Technology  Outage 
Scheduler). 

Since  our  paper  describes  a  successful  prototype  rather  than  a  fully  deployed  .system,  we 
would  like  our  work  to  be  considered  for  inclusion  on  one  of  the  panels  or  special  sessions 
about  emerging  applications  areas.  (As  per  communication  with  Howard  Shrobe,  we  under¬ 
stand  that  such  panels  are  part  of  the  plan  to  broaden  the  scope  of  lAAI.)  We  feel  that  the 
complexities  and  economic  relevance  of  our  application  domain  offer  a  unique  application  area 
for  modern  AI  planning  and  scheduUng  techniques.  Feel  free  to  contact  us  (gomes@ai.rl.mil), 
if  you  have  any  further  questions.  Thank  you  for  your  consideration. 

‘Carla  P.  Gomes  works  for  Rome  Laboratory  as  a  Research  Associate. 
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1  Introduction 


Planning  and  scheduling  tasks  are  inherently  complex.  In  computational  terms,  they 
are  intractable,  i.e.,  NP-hard  or  worse.  As  a  practical  consequence,  realistic  size  plan¬ 
ning  and  scheduling  problems  cannot  be  solved  optimally  in  a  “reasonable”  amoimt  of 
time.  Nonetheless,  solutions  have  to  be  found  for  real-world  problems,  and  therefore 
heuristic  approaches  have  to  be  adopted,  ideally  with  some  guarantee  on  the  quality 
of  the  solution. 

We  focus  on  the  real-world  problem  of  multiple  resource-constrained  project  manage¬ 
ment.  This  problem  is  very  common  in  manufacturing  and  it  is  a  generalization  of 
the  well-known  job-shop  scheduling  problem  [Blazewicz  et  al.  83,  Vaessens  et  al.  94]. 
As  a  particular  instance  of  this  problem,  we  consider  the  management  of  outages  of 
nuclear  power  plants.  An  outage  is  a  planned  shutdown  for  refueling,  repair,  and 
maintenance.  It  is  a  rather  daunting  real-world  task  that  may  involve  from  10, 000 
up  to  45,000  activities.  Furthermore,  in  this  domain,  the  existence  of  good  automatic 
solutions  is  not  only  crucial  for  nuclear  safety  reasons  but  also  for  economic  reasons 
—  the  cost  per  day  of  shutdown  is  in  the  order  of  $1,000,000. 

We  report  on  a  successful  project  for  transference  of  advanced  planning  and  schedul¬ 
ing  technology  for  outage  management,  a  collaboration  between  Rome  Laboratory, 
the  Electrical  Power  Research  Institute,  Kaman  Science,  and  Kestrel  Institute  as 
part  of  DOD’s  dual-use  program.  The  software  environment  selected  for  this  pro¬ 
ject  was  KIDS  (Kestrel  Interactive  Development  System)  [Smith  91],  which  is  a  set 
of  semiautomatic  tools  to  transform  declarative  problem  specifications  into  correct 
and  eflScient  programs.  KIDS  has  been  used  to  derive  a  fast  transportation  sched¬ 
uler  for  the  US  Transportation  Command,  KTS  (Kestrel  Transportation  Scheduler) 
[Smith  Sz  Parra  93].  KTS  schedules  15,460  individual  movement  requirements  in  71 
cpu  seconds  on  a  Spaxc  2.  Furthermore,  the  resulting  schedules  produced  by  KTS 
have  proven  to  be  of  good  quality. 

The  main  goal  of  the  project  was  to  evaluate  the  use  of  advanced  Al  planning  and 
scheduling  technology  for  management  of  outages  of  nucleax  power  plants.  In  this  do¬ 
main,  risk  and  safety  management  axe  sine  qua  non  conditions  and  therefore  a  planning 
and  scheduling  system  (automatic  or  manual)  has  to  enforce  safety  constraints  guar¬ 
anteeing  that  the  state  of  the  plant  is  safe  at  any  time  during  an  outage.  The  current 
automatic  technology  for  outage  scheduling  used  by  the  utilities  does  not  incorpor¬ 
ate  safety  requirements  —  currently,  safety  and  risk  management  still  heavily  rely  on 
manual  rather  than  on  automatic  procediures.  We  adopt  an  integrated  approach,  by 
automatically  enforcing  safety  constraints  during  the  planning  and  scheduling  phase. 
Our  work  shows  that  Al  planning  and  scheduling  techniques  provide  enough  flexibil¬ 
ity  for  capturing  such  a  diverse  and  complex  set  of  constraints  in  a  large,  real-world 
application. 

The  outage  problem  is  modeled  as  a  constraint  satisfaction  problem  combining  a  global 
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search  tactic  with  constraint  propagation.  We  use  a  rich  representation  for  the  state  of 
the  plant  at  any  time  (a^  in  planning  approaches),  which  allows  for  efficient  constraint- 
based  reasoning,  in  particular,  temporal  reasoning  (as  in  scheduling).  The  derivation 
of  very  specialized  representations  for  the  constraints  to  perform  efficient  propagation 
is  a  key  aspect  for  the  generation  of  very  fast  schedules  —  constraints  are  compiled  into 
the  code.  In  order  to  increase  schedule  robustness,  our  approach  entails  the  generation 
of  schedules  that  are  feasible  over  time  intervals  rather  than  single  time  point  start 
times. 

In  the  next  section,  we  describe  the  current  state-of-the-art  of  outage  management  for 
nucleax  power  plants,  and  discuss  its  lirmtations.  In  section  3,  we  describe  ROMAN, 
the  prototype  system  developed  by  Rome  Laboratory  for  Outage  Management.  Section 
4  summarizes  the  main  results  achieved  with  ROMAN. 


2  Outage  Management  of  Nuclear  Power  Plants 


Outage  management  of  nuclear  power  plants  hcis  a  great  impact  in  terms  of  the  outage 
costs  (replacement  power,  labor  cost,  etc.)  and  implementation  of  safety  procedures. 
Prior  to  1979,  before  the  accident  at  Three  Mile  Island,  refueling  was  the  driving 
factor  behind  outages  of  nuclear  power  plants:  maintenance  plans  were  governed  by 
the  projected  duration  of  refueling  activities.  After  the  accident,  the  duration  of 
outages  became  determined  not  only  by  refueling  activities,  but  also  by  the  work 
and  plant  modifications  required  to  make  the  plant  safer  and  more  reliable  [PSDI  94, 
Wallace  90].  Therefore,  nowadays,  refueling  activities  often  no  longer  dictate  the 
critical  path  in  an  outage. 

Outage  mauagement  of  nuclear  power  plants  can  be  stated  as  follows: 


Given  a  set  of  outage  activities  (refueling  operations,  repairs,  modifica¬ 
tions,  and  maintenance  activities),  a  set  of  resources,  and  a  set  of  techno¬ 
logical  constraints,  assign  times  and  resources  to  the  activities  in  such  way 
that  the  completion  of  the  outage  is  minimized  while  safely  performing  all 
the  activities  required  by  the  outage. 

Depending  on  the  planning  and  scheduling  procedures  of  each  particular  plant,  as  weU 
as  the  scope  of  the  activities  performed  during  the  outage,  the  planning  and  scheduling 
of  outages  for  nucleax  power  plants  might  involve  from  10,000  up  to  45,000  activities. 

The  general  principle  underlying  the  outage  procedures  is  that  outages  should  be  as 
short  as  possible,  maintaining  the  appropriate  level  of  nucleax  safety.  In  other  words, 
the  outage  should  be  planned  and  managed  to  reduce  shutdown  risks  through  the 
appropriate  consideration  of  preventive  measures.  The  main  safety  fimctions  and  sys¬ 
tems  components  that  axe  monitored  during  an  outage  are:  AC  power  control  system. 
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primary  and  secondary  containment,  fuel  pool  cooling  system,  inventory  control,  re¬ 
activity  control,  shutdown  cooling,  and  vital  support  systems. 


2.1  Outage  Management  in  the  Real  World 

There  are  approximately  110  nuclear  plants  operating  in  the  US,  most  of  them  are 
members  of  EPRI,  the  Electrical  Power  Research  Institute.  Outage  management  still 
heavily  relies  on  the  experience  of  the  manual  schedulers,  rather  than  on  automatic 
procedures.  Current  automatic  approaches  to  outage  management  mainly  consist  of 
the  application  of  project  management  techniques,  such  as  PERT/CPM  techniques.^ 
Safety  and  risk  assessment  is  usually  a  manual  process  which  calls  on  the  expertise  of 
the  personnel  involved  to  make  decisions  based  on  published  policies  and  procedures. 
In  order  to  ensure  that  the  sequence  of  activities  performed  during  an  outage  follows 
the  safety  requirements,  EPRI  performs  the  risk  assessment  of  the  schedules  generated 
by  the  utilities  using  a  simulator  that  validates  the  schedule  regarding  safety  fimctions 
by  keeping  track  of  the  configuration  of  the  plant  at  any  time.  If  the  schedules  are  not 
approved  by  EPRI,  manual  adjustments  have  to  be  performed  in  order  to  meet  the 
safety  requirements. 

Even  though  the  usage  of  project  management  techniques  such  as  PERT /CPM  consti¬ 
tutes  a  major  improvement  in  the  way  outage  management  is  performed  in  comparison 
to  previous  techniques,  they  suffer  from  major  limitations  due  to  the  lack  of  consider¬ 
ation  of  safety  constraints  and  the  lack  of  speed  to  perform  “what-if”  scenarios. 


3  ROMAN 


Rome  Laboratory  in  collaboration  with  the  Electrical  Power  Research  Institute,  Ka- 
man  Science  and  Kestrel  Institute  developed  a  prototype  for  planning  and  scheduling 
of  outages  of  nuclear  power  plants,  ROMAN  (Rome  Laboratory  Outage  MANager), 
within  the  DOD’s  dual-use  program  [Gomes  96]. 

As  we  discussed  in  the  introduction,  ROMAN  models  the  outage  management  problem 
as  a  constraint  satisfaction  problem  combining  a  global  search  tactic  with  constraint 
propagation.  The  domain  model  of  ROMAN  includes  all  the  technological  constraints 
currently  incorporated  in  the  automatic  tools  used  by  the  utilities  for  schedule  gen¬ 
eration.  In  addition,  it  includes  all  the  constraints  regarding  the  safety  function  AC 
power.  Other  safety  fimctions  could  be  modeled  in  a  similar  way.  A  top  level  formal 
specification  of  the  outage  problem  as  follows: 

^The  software  currently  used  by  the  utilities  to  perforin  their  outage  planning  and  scheduling 
tasks  are  mainly:  Primavera  Project  Planner  for  Windows  (personal  computers),  Project/2  (mzun- 
frames),  Project2/X  for  Windows  (personal  computers),  Prestige  (mainframes)  and  OpenPlan  (per¬ 
sonal  computers). 
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function  :  safe-outage-windows  [activities) 
returns{schedule  ] 

Consistent- Activity-Separation{schedule)and 
Consistent- AC-power[schedule)and 
All-activities-scheduled  [activities,  schedule)) 


In  this  formulation  activities  correspond  to  the  set  of  activities  to  be  performed. 
Each  activity  has  a  given  duration,  a  set  of  predecessors  (pred),  and  a  set  of  ef¬ 
fects  on  resources.  The  schedule  is  a  partial  order  of  activities.  Activities  in  the 
schedule  have  time  windows  assigned  to  it.  A  time  window  defines  the  earliest  start 
time  [est)  and  latest  staxt  time  [1st)  of  an  activity,  such  that  the  activity  can  start 
at  any  time  during  the  window  without  increasing  the  overall  duration  of  the  pro¬ 
ject.  Given  the  duration  of  the  activity,  the  earliest  finish  time  [eft)  and  latest  finish 
time  [IJi)  can  be  calculated.  The  predicate  Consistent-Activity-Separation[schedule) 
states  that  all  the  activities  in  the  schedule  satisfy  the  precedence  constraints.  The 
predicate  Consistent-AC-power[schedule)  states  that  the  schedule  verifies  the  safety 
constraints,  from  an  AC  power  point  of  view.  As  a  completeness  condition,  the  pre¬ 
dicate  All-activities-scheduled  [activities,  schedule)  states  that  all  the  activities  have 
to  be  scheduled. 

The  notion  of  state  of  the  plant  is  a  key  concept  in  enforcing  safety  constraints.  In 
outage  management  the  state  of  the  plant  is  measured  in  colors  —  green,  yellow, 
orange  or  red,  in  this  order  of  increasing  risk  —  and  is  computed  by  considering 
complex  decision  trees  regarding  safety  levels  as  illustrated  in  Figure  1  for  the  safety 
function  AC  power  control.  For  instance,  if  there  is  an  activity  being  executed  that 
has  the  potential  to  cause  AC  power  loss,  then  in  order  for  the  plant  to  be  in  a  yellow 
state  it  is  required  to  have  two  off-site  AC  power  sources  available  and  three  operable 
emergency  safeguard  buses. 

Since  the  start  times  of  activities  are  defined  over  time  windows,  we  introduce  two 
concepts  regarding  the  execution  of  an  activity:  the  definite  period  and  the  potential 
period  of  an  activity.  The  definite  period  of  an  activity  corresponds  to  the  period 
of  time  during  which  the  activity  is  defimtely  being  execute  it  is  the  time  period 
between  the  latest  start  time  of  the  activity  [1st)  and  its  earliest  fimsh  time  [eft).  The 
potential  period  of  an  activity  corresponds  to  the  period  of  time  during  which  the 
activity  may  be  executed  —  it  is  the  time  period  between  the  earliest  start  time  of  the 
activity  [est)  and  its  latest  finish  time  [Ift).  Figure  2  illustrates  the  notion  of  definite 
period  of  an  activity.  Notice  that  activity  A  does  not  have  a  defimte  period,  since  its 
eaxliest  finish  time  is  before  its  latest  start  time. 

In  addition,  we  define  two  other  concepts:  definite  state  of  the  plant  and  potential 
state  of  the  plant.  The  definite  state  of  the  plant  is  associated  with  the  concept  of 
definite  period:  it  represents  the  state  of  the  plant  for  a  given  safety  function  [e.g., 
AC  power)  assuming  that  activities  are  only  executed  during  their  definite  period. 
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Figure  1:  Example  of  a  decision  tree  for  the  safety  function  AC  Power 


The  concept  of  potential  state  of  the  plant  is  associated  with  the  concept  of  potential 
period  of  an  activity:  it  represents  the  state  of  the  plant  for  a  given  safety  function 
assuming  that  activities  are  executed  during  the  whole  extension  of  their  potential 
period.  The  potential  state  of  the  plant  is  always  ^equal”  or  ^greater”  than  the  state 
of  the  plant  since  the  definite  period  of  an  activity  tends  to  underestimate  the  duration 
of  activities  while  the  potential  period  of  an  activity  tends  to  overestimate  the  duration 
of  activities.  Figure  3  gives  an  example.  Note  that  during  certain  time  intervals,  the 
definite  and  potential  states  of  the  plant  coincide. 
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Figure  2:  Notion  of  a  definite  period. 
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Figure  4:  ROMAN’S  approach 

3.1  Search  and  Control  Mechanisms 

KIDS  provides  algorithmic  transformations  that  add  control  and  search  mechanisms 
to  a  given  specification.  The  search  tactic  selected  for  the  outage  problem  was  global 
search  [Smith  87,  Smith  et  al.  95]  (see  also  next  section).  Figure  4  summarizes  the 
approach  adopted  in  ROMAN. 

Initially  global  search  is  applied  to  the  formal  specification  of  the  outage  problem 
in  order  to  generate  a  schedule,  assuming  the  definite  period  of  activities.  Since  the 
notion  of  definite  period  tends  to  underestimate  the  duration  of  the  activities,  it  is  very 
likely  for  the  schedule  produced  in  this  initial  phcise  not  to  be  fe<isible  from  the  point 
of  view  of  the  potential  state  of  the  plant.  In  order  to  enforce  the  safety  threshold 
for  the  potential  state  of  the  plant  at  any  time  during  the  outage,  “refinement”  of  the 
time  windows  of  the  initial  schedule  takes  place.  In  the  next  section,  we  describe  our 
global  search  strategy. 
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Figure  5:  Global  search  theory  for  the  Outage  Problem  (definite  periods  only). 
3.1.1  Global  Search  Strategy 

The  global  search  tactic  designs  a  backtrack  strategy,  based  on  an  extension  of  “generate- 
aud-test.”  The  tactic  is  implemented  by  finding  a  space  containing  all  the  solutions  to 
the  problem  that  can  be  divided  into  nested  subspaces.  The  global  search  algorithm 
starts  with  an  initial  set  that  contains  all  the  solutions  to  the  given  problem  instance, 
repeatedly  extracts  solutions,  splits  sets,  and  eliminates  subsets  using  propagation, 
imtil  no  sets  remain  to  be  split.  The  process  can  be  described  as  a  tree  search  in 
which  a  node  represents  a  set  of  candidates,  and  an  arc  represents  the  split  relation¬ 
ship  between  a  set  and  a  subset.  The  principal  operations  are  to  extract  candidate 
solutions  from  a  set,  and  to  split  a  set  into  subsets.  The  derivation  of  efficient  cutting 
constraints  that  eliminate  subspaces  that  do  not  contain  any  feasible  solution  is  an 
important  complementary  operation  in  the  derivation  of  the  global  search  tactic. 

Figure  5  illustrates  the  global  search  theory  for  the  outage  problem.  In  the  case  of 
global  search  theory  for  the  initial  scheduling  of  activities  considering  their  definite 
periods  the  initial  subspace  descriptor  (partial  schedule)  is  the  empty  sequence  (empty 
schedule).  Splitting  corresponds  to  appending  an  unscheduled  activity,  with  a  given 
time  window,  to  the  partial  schedule.  Cutting  corresponds  to  propagating  the  con¬ 
straints  over  the  time  windows  of  the  activities  in  the  partial  schedule.  Notice  that 
cutting  maies  the  time  windows  shrink.  It  can  also  split  a  time  window  ais  in  the  case 
of  adding  activity  G  —  due  to  propagation,  activity  G’s  window  was  split  into  two. 

A  candidate  solution  is  extracted  when  all  the  activities  have  been  scheduled. 
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Figure  6:  Cutting  Constraints 


As  we  can  see  from  Figure  5,  most  of  the  work  in  this  global  search  theory  is  per¬ 
formed  by  constraint  propagation.  Splitting  corresponds  to  selecting  the  next  activity 
to  schedule.  Figure  6  illustrates  the  concept  of  cutting  constraints  —  psched  is  a 
partial  schedule  corresponding  to  a  set  of  candidate  solutions  (i.e.,  complete  sched¬ 
ules).  Cutting  constraints  remove  portions  of  the  search  space  that  do  not  contain 
any  feasible  solution. 

KIDS  automatically  instantiates  a  program  scheme  for  global  search  with  constraint 
propagation,  incorporating  cutting  constraints.  In  order  to  take  advantage  of  the 
propagation  mechanisms  provided  in  KIDS,  the  challenge  lies  in  deriving  the  defin¬ 
ition  of  the  cutting  constraints,  normally  a  manual  task.  For  more  information  on 
propagation  in  KIDS,  see  [Smith  et  al  95].  For  more  information  on  cutting  con¬ 
straints  for  the  outage  problem,  see  [Gomes  96]. 

Refinement  of  time  windows  takes  place  if  after  applying  the  initial  global  search  to  the 
outage  problem  the  potential  state  of  plant  does  not  satisfy  the  safety  requirements.  In 
other  words,  refinement  of  time  windows  is  required  to  enforce  the  safety  constraints 
over  the  potential  period  of  all  the  activities  in  the  initial  schedule.  This  is  achieved 
by  applying  a  new  global  search  to  the  formal  specification  of  the  outage  with  as 
input  the  schedule  generated  in  the  initial  phase.  In  this  second  phase  the  windows  of 
the  activities  that  contribute  to  the  contention  periods,  t.e.,  the  periods  in  which  the 
potential  state  of  the  plant  is  above  the  safety  threshold,  are  systematically  reduced, 
until  the  potential  state  of  the  plant  becomes  consistent  for  all  the  times  during  the 
outage. 

^In  the  global  search  theory  for  the  refinement  phase  splitting  corresponds  to  reducing  the  size  of 
the  windows  of  the  activities  involved  in  the  contention  periods. 
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4  Conclusions:  Performance  and  Expected  Pay  Off 


ROMAN  has  proven  successful  since  it  clearly  extends  the  current  fimctionality  offered 
by  existing  software  tools  for  outage  management; 


•  All  the  technological  constraints  currently  used  for  automatic  schedule  generation 
are  incorporated.  In  addition,  ROMAN  produces  schedules  satisfying  the  safety 
constraints. 

•  More  robust  schedules  are  obtained  by  guaranteeing  feasibility  over  time  win¬ 
dows. 

•  Very  fast  schedule  generation:  the  current  version  of  ROMAN  handles  up  to 
2,000  activities  in  approximately  1  minute  on  a  Sparc  2. 

•  The  schedules  are  often  better  than  the  current  solutions  since  many  new  pos¬ 
sibilities  are  explored.^ 

The  current  version  of  ROMAN  was  completed  in  November  1995,  and  it  has  been 
demonstrated  to  several  large  nuclear  power  plants  such  as  American  Electric  Power 
Service,  Baltimore  Gas  k  Electric,  PECO  Energy,  etc.  The  demonstration  was  suc¬ 
cessful,  and  EPRI,  a  consortium  of  more  than  90%  of  the  utilities  in  the  US,  has 
decided  to  use  the  approach  embodied  in  ROMAN  to  build  the  next  generation  of 
outage  scheduling  tools  —  referred  to  as  Advanced  Technology  Outage  Scheduler. 
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MISSION 

OF 

ROME  LABORATORY 


Mission.  The  mission  of  Rome  Laboratory  is  to  advance  the  science  and 
technologies  of  command,  control,  communications  and  intelligence  and  to 
transition  them  into  systems  to  meet  customer  needs.  To  achieve  this, 
Rome  Lab: 

a.  Conducts  vigorous  research,  development  and  test  programs  in  all 
applicable  technologies; 

b.  Transitions  technology  to  current  and  future  systems  to  improve 
operational  capability,  readiness,  and  supportability; 

c.  Provides  a  full  range  of  technical  support  to  Air  Force  Material 
Command  product  centers  and  other  Air  Force  organizations; 

d.  Promotes  transfer  of  technology  to  the  private  sector; 

e.  Maintains  leading  edge  technological  expertise  in  the  areas  of 
surveillance,  communications,  command  and  control,  intelligence, 
reliability  science,  electro-magnetic  technology,  photonics,  signal 
processing,  and  computational  science. 

The  thrust  areas  of  technical  competence  include:  Surveillance, 
Communications,  Command  and  Control,  Intelligence,  Signal  Processing, 
Computer  Science  and  Technology,  Electromagnetic  Technology, 
Photonics  and  Reliability  Sciences. 


